Monday, December 16, 2019

OSPF and neighborship between two Different IP subnets

As we all know, one of the conditions of OSPFv2 neighborship is for two routers to become adjacent in OSPF and be neighbors that the link connecting them together to be on the same subnet

anyway, this was the status until OSPFv3 came into the scene and this issue was resolved, for example you are an engineer working on two companies merging into one network and you got OSPFv3 in use and the problem is the IP subnets in use is totally different and let's say one is in class A and the second in class C, and you got two routers (R1, R2) that will be used as merge point as in the figure below:



so now we will activate OSPFv3 on R1 and R2 interface (E0/0) and first thing you will notice that they will form adjacency and become neighbors as below:
use the command # show ospfv3 neighbors  you can see from the output that the two routers formed the adjacency.

Here this can be seen in chapter 17: IPv6 Routing Protocols and Redistribution from the CCNP Route OCG. shows comparison between OSPF version 2 and 3 as you can see in the table below in the highlighted part:
When there is newer version of the same protocol, this means that something new added to enhance the existing features, and this applies to OSPF or RIP versions and BGP.

I hope this was useful !



Samer R. Saleem

Tuesday, October 8, 2019

How To Configure Cisco Router To Work As A Bridge

As we know, a router job is to do routing, and it's interfaces must be configured to work on non-overlapping subnets, but how can we deal with a special requirements to make the router work as if it was within a switched network?

For example:

One of your customers asked to help him setup the following topology

Load Balance <======> Internet Router <=======> Firewall
this could be due to a change in design and they router will stay in the picture while it will be passing traffic just like it is a Hub device.


But you need lower the routing on the Internet Router and use the same subnet on all of the three Devices, and let's say we will use 10.0.0.0/24 subnet to connect the three devices interfaces together.

You already finished the Load Balance interface G0/0 IP configuration
You also finished the Firewall G0/0 interface IP configuration

All is left to do is to make the router work on two interfaces that are facing Firewall and Load Balance as one IP address within the same subnet (10.0.0.0/24) and these interfaces of the router will be G0/0 and G0/1 and the IP addresses will be used are

LB IP is 10.0.0.1 mask 255.255.255.0
Internet RTR ip is 10.0.0.2 mask 255.255.255.0
Firewall IP is 10.0.0.3 mask 255.255.255.0

The solution to do this is configure the Internet RTR to work as bridge by configuring the BVI interface with the IP 10.0.0.2/24 as below:

bridge irb
bridge 1 protocol ieee
bridge 1 route ip
!
interface GigabitEthernet0/0
bridge-group 1
!
interface GigabitEthernet0/1
bridge-group 1
!
interface BVI 1
ip address 10.0.0.2 255.255.255.0

and then 
#interface range G0/0-1
#no shutdown

You can then verify the connectivity between the devices using ping

Also you can use #show interface bvi 1 on the internet router

Also :
RTR#show bridge 1 verbose

Total of 300 station blocks, 300 free
Codes: P - permanent, S - self


Flood ports (BG 1)           RX count    TX count
G0/0                                         2           2
G0/1                                         2           2

I hope this was useful!
Thanks

Samer R. Saleem

Wednesday, September 11, 2019

How to allow eBGP MD5 authentication when ASA Firewall in between

Hi,

I read some interesting article about the issue you will face when you have an ASA firewall between two Cisco routers that are peering in eBGP and the MD5 used to secure the peering process.
I will be posting in my labbing results and findings during this and the small topology I used EVE-NG community to implement.

the picture below explains some of the configs:
R1<<<< ASA >>>> R2

you will need to configure the ASA interfaces as below:
G0/0 (ip address and nameif)
G0/1 (ip address and nameif)
then configure both routers interfaces and ping to make sure ASA is reachable.
once EIGRP completed its adjacency you will see R2 and R1 networks but they will not have reachability between them, so you will need to add ICMP into ASA firewall inspection:
class inspection_default
  inspect icmp

after this, you will have reachability between R1 loopback0 to R2 loopback0, here we start configuring eBGP:
R2:
router bgp 222
bgp log-neighbor-changes
network 200.200.200.200 mask 255.255.255.255
neighbor 1.1.1.1 remote-as 111
neighbor 1.1.1.1 password 12345
neighbor 1.1.1.1 disable-connected-check
neighbor 1.1.1.1 update-source Loopback0

R1:
router bgp 111
bgp log-neighbor-changes
network 100.100.100.100 mask 255.255.255.255
neighbor 2.2.2.2 remote-as 222
neighbor 2.2.2.2 password 12345
neighbor 2.2.2.2 disable-connected-check
neighbor 2.2.2.2 update-source Loopback0

Note: I have created two more loopbacks 100 and 200 in both R1 and R2 and advertised over BGP only, and disabled directly connected check on BGP.
you will see the session comes UP and prefixes appear in both BGP RIB tables.

However, once you add password authentication under BGP, you will start seeing the below logs:
R2(config-router)#
*Sep 11 08:54:44.093: %TCP-6-BADAUTH: No MD5 digest from 1.1.1.1(36963) to 2.2.2.2(179) tableid - 0
R2(config-router)#
*Sep 11 08:54:46.098: %TCP-6-BADAUTH: No MD5 digest from 1.1.1.1(36963) to 2.2.2.2(179) tableid - 0
R2(config-router)#
*Sep 11 08:54:50.106: %TCP-6-BADAUTH: No MD5 digest from 1.1.1.1(36963) to 2.2.2.2(179) tableid - 0
and the BGP session will e lost.

the reason for this is that, BGP is uses TCP 179 protocol, which is fine, but once authentication is used with MD5,  ASA will strip the authentication which is TCP option 19
and the routers will not see the MD5 coming with connection attempt, so you will need to add the following part on the Cisco ASA:


1.first you need to create an extended ACL to match the traffic between the BGP routers
access-list bgp extended permit tcp host 1.1.1.1 host 2.2.2.2 eq bgp
access-list bgp extended permit tcp host 2.2.2.2 host 1.1.1.1 eq bgp
2.create TCP map to allow option 19
tcp-map allow-tcp-19
  tcp-options range 19 19 allow
3.use the global policy map to match the class map BGP that we created to match traffic and apply our settings:
policy-map global_policy
class-map BGP
match access-list bgp
class BGP
set connection random-sequence-number disable
set connection advanced-options allow-tcp-19


after this is done, you will ge the bgp session UP again!

R2#
*Sep 11 09:14:59.477: %BGP-5-NBR_RESET: Neighbor 1.1.1.1 active reset (BGP Notification sent)
*Sep 11 09:14:59.477: %BGP-5-ADJCHANGE: neighbor 1.1.1.1 Up
R2#

I hope this was useful!

I will upload the EVE-NG lab export

Thanks,

Monday, June 10, 2019

Cisco Router as an HTTPS server


How to configure Cisco router to work as an HTTPS server


As we know (HTTPS) is the secure version of HTTP protocol, and to configure on Cisco router it will give you different options to configure and have encrypted data sent/received on the router.

I will start configuring a simple topology consist of two routers to work as server and client.


HTTP will be disabled on the router and only HTTPS will be enabled.


Server configuration:
You need to enable Telnet on your Line VTY

#ip http secure-server [enabled secure server connection " HTTPS"]
#ip http secure-ciphersuite 3des-cbc-sha    [adds encryption of DES to the cihpersuite]
#ip http secure-port 4343 [changes the HTTPS port to 4343 instead of 443]
#ip http max-connections 2   [limiting the incoming connections to 2]
#access-list 10 permit 192.168.1.0 0.0.0.255 log [access list to permit only to 192.168.1.0/24 and log the hits]

Verify:
HTTP-SERVER#show ip http server status
HTTP server status: Disabled
HTTP server port: 80
HTTP server active supplementary listener ports:
HTTP server authentication method: enable
HTTP server digest algorithm: md5
HTTP server access class: 10
HTTP server base path:
HTTP server help root:
Maximum number of concurrent server connections allowed: 2
Server idle time-out: 180 seconds
Server life time-out: 180 seconds
Maximum number of requests allowed on a connection: 1
Server linger time : 60 seconds
HTTP server active session modules: ALL
HTTP secure server capability: Present
HTTP secure server status: Enabled
HTTP secure server port: 4143
HTTP secure server ciphersuite: 3des-ede-cbc-sha
HTTP secure server client authentication: Disabled
HTTP secure server trustpoint:
HTTP secure server active session modules: ALL
HTTP-SERVER#sho ip http server connection
HTTP server current connections:
local-ipaddress:port  remote-ipaddress:port in-bytes   out-bytes
    192.168.1.1:4143      192.168.1.2:23074 0          0        

Access list logs:
This log is generated after https connection established from the server to itself.

*Jun 10 06:52:57.305: %SEC-6-IPACCESSLOGNP: list 10 permitted 0 192.168.1.1 -> 0.0.0.0, 1 packet

This log is generated after https connection established from another router (client 192.168.1.2)
*Jun 10 06:54:22.992: %SEC-6-IPACCESSLOGNP: list 10 permitted 0 192.168.1.2 -> 0.0.0.0, 3 packets


Another command is to check history:
HTTP-SERVER#show ip http server history

HTTP server history:
local-ipaddress:port  remote-ipaddress:port in-bytes   out-bytes  end-time
    192.168.1.1:80        192.168.1.2:41994 14         122        06:38:11 06/10
    192.168.1.1:4143      192.168.1.2:13699 0          0          06:51:30 06/10
    192.168.1.1:4143      192.168.1.1:29427 0          0          06:52:58 06/10
    192.168.1.1:4143      192.168.1.2:12248 0          0          06:55:41 06/10

As you can see above the first line shows an old log for HTTP session even though I have disabled the HTTP on the router.


Now have a look if we try to connect HTTPS from Client using it’s loopback0 (2.2.2.2)

R2-CLIENT#telnet 192.168.1.1 4143 /source-interface loopback0
Trying 192.168.1.1, 4143 ...
% Connection refused by remote host

While if I change the source to E0/0 interface (192.168.1.2) it will succeed

R2-CLIENT#telnet 192.168.1.1 4143 /source-interface e0/0
Trying 192.168.1.1, 4143 ... Open

HTTP-SERVER#show ip access-lists
Standard IP access list 10
    10 permit 192.168.1.0, wildcard bits 0.0.0.255 log (8 matches)
    20 deny   any (3 matches)
HTTP-SERVER#



Samer R. Saleem

Sunday, April 14, 2019

EEM to send email when Interface goes down

Introduction about EEM:

Cisco IOS Embedded Event Manager (EEM) is a powerful and flexible subsystem that provides real-time network event detection and onboard automation. It gives you the ability to adapt the behavior of your network devices to align with your business needs.
Your business can benefit from the capabilities of IOS Embedded Event Manager without upgrading to a new version of Cisco IOS Software. It is available on a wide range of Cisco platforms.
IOS Embedded Event Manager supports more than 20 event detectors that are highly integrated with different Cisco IOS Software components to trigger actions in response to network events. Your business logic can be injected into network operations using IOS Embedded Event Manager policies. These policies are programmed using either simple command-line interface (CLi) or using a scripting language called Tool Command Language (Tcl).
Harnessing the significant intelligence within Cisco devices, IOS Embedded Event Manager helps enable creative solutions, including automated troubleshooting, fault detection, and device configuration.
Source: Cisco.com




Lets get to it:

I will create EEM applet called interface down, and then I will choose the pattern of which you will match a certain string of letters that will be showing in the syslog for example (interface up or interface down or OSPF neighbor aged out or anything you want to match against)
 R1#
 R1#event manager applet INTERFACE_DOWN
 R1 #event syslog pattern " Loopback123, changed state to up"
 R1 #action 1.0 cli command "enable"  \ \ optional
 R1#action 2.0 cli command "show ip interface br | in up"
  R1#action 3.0 mail server "mail.pbit.com" to "samer.rafid@pbit.com" from "net.admin@pbit.com"   subject "link is down" body "please check internet link"
R1#


then to see this in action, you can enable debugging for event manager to debug mail events
#debug event manager action mail


Apr 14 14:17:27: %HA_EM-6-LOG: INTERFACE_DOWN : DEBUG(smtp_lib) : smtp_write Date: Sun, 14 Apr 2019 14:17:27 +0300
Apr 14 14:17:27: %HA_EM-6-LOG: INTERFACE_DOWN : DEBUG(smtp_lib) : smtp_write Message-ID: <000A2019141727818@PBIT-VG2.PBIT.COM>
Apr 14 14:17:27: %HA_EM-6-LOG: INTERFACE_DOWN : DEBUG(smtp_lib) : smtp_write From: net.admin@pbit.com
Apr 14 14:17:27: %HA_EM-6-LOG: INTERFACE_DOWN : DEBUG(smtp_lib) : smtp_write To: samir.rafid@pbit.com
Apr 14 14:17:27: %HA_EM-6-LOG: INTERFACE_DOWN : DEBUG(smtp_lib) : smtp_write Subject: link is down
Apr 14 14:17:27: %HA_EM-6-LOG: INTERFACE_DOWN : DEBUG(smtp_lib) : smtp_write
Apr 14 14:17:27: %HA_EM-6-LOG: INTERFACE_DOWN : DEBUG(smtp_lib) : smtp_write please check internet link
Apr 14 14:17:27: %HA_EM-6-LOG: INTERFACE_DOWN : DEBUG(smtp_lib) : smtp_write .
Apr 14 14:17:27: %HA_EM-6-LOG: INTERFACE_DOWN : DEBUG(smtp_lib) : fh_smtp_chk_reply looking for {250}
Apr 14 14:17:28: %HA_EM-6-LOG: INTERFACE_DOWN : DEBUG(smtp_lib) : fh_smtp_read {250 2.6.0 <000A2019141727818@PBIT-VG2.PBIT.COM> [InternalId=14955076124730, Hostname=mail02.PBIT.com] 1526 bytes in 0.182, 8.147 KB/sec Queued mail for delivery

}
Apr 14 14:17:28: %HA_EM-6-LOG: INTERFACE_DOWN : DEBUG(smtp_lib) : smtp_write QUIT
Apr 14 14:17:28: %HA_EM-6-LOG: INTERFACE_DOWN : DEBUG(smtp_lib) : fh_smtp_chk_reply looking for {221}
Apr 14 14:17:28: %HA_EM-6-LOG: INTERFACE_DOWN : DEBUG(smtp_lib) : fh_smtp_read {250 2.1.5 Recipient OK
}
Apr 14 14:17:28: %HA_EM-6-LOG: INTERFACE_DOWN : DEBUG(smtp_lib) : smtp_write DATA
Apr 14 14:17:28: %HA_EM-6-LOG: INTERFACE_DOWN : DEBUG(smtp_lib) : fh_smtp_chk_reply looking for {354}
Apr 14 14:17:28: %HA_EM-6-LOG: INTERFACE_DOWN : DEBUG(smtp_lib) : fh_smtp_read {221 2.0.0 Service closing transmission channel
}
Apr 14 14:17:28: %HA_EM-6-LOG: INTERFACE_DOWN : DEBUG(smtp_lib) : fh_smtp_read {354 Start mail input; end with <CRLF>.<CRLF>
}
Apr 14 14:17:28: %HA_EM-6-LOG: INTERFACE_DOWN : DEBUG(smtp_lib) : smtp_write Date: Sun, 14 Apr 2019 14:17:28 +0300
Apr 14 14:17:28: %HA_EM-6-LOG: INTERFACE_DOWN : DEBUG(smtp_lib) : smtp_write Message-ID: <000B2019141728818@PBIT-VG2.PBIT.COM>
Apr 14 14:17:28: %HA_EM-6-LOG: INTERFACE_DOWN : DEBUG(smtp_lib) : smtp_write From: net.admin@pbit.com
Apr 14 14:17:28: %HA_EM-6-LOG: INTERFACE_DOWN : DEBUG(smtp_lib) : smtp_write To: samir.rafid@pbit.com
Apr 14 14:17:28: %HA_EM-6-LOG: INTERFACE_DOWN : DEBUG(smtp_lib) : smtp_write Subject: link is down
Apr 14 14:17:28: %HA_EM-6-LOG: INTERFACE_DOWN : DEBUG(smtp_lib) : smtp_write
Apr 14 14:17:28: %HA_EM-6-LOG: INTERFACE_DOWN : DEBUG(smtp_lib) : smtp_write please check internet link
Apr 14 14:17:28: %HA_EM-6-LOG: INTERFACE_DOWN : DEBUG(smtp_lib) : smtp_write .
Apr 14 14:17:28: %HA_EM-6-LOG: INTERFACE_DOWN : DEBUG(smtp_lib) : fh_smtp_chk_reply looking for {250}
Apr 14 14:17:29: %HA_EM-6-LOG: INTERFACE_DOWN : DEBUG(smtp_lib) : fh_smtp_read {250 2.6.0 <000B2019141728818@PBIT-VG2.PBIT.COM> [InternalId=14955076124731, Hostname=mail02.PBIT.com] 1526 bytes in 0.169, 8.800 KB/sec Queued mail for delivery
}
Apr 14 14:17:29: %HA_EM-6-LOG: INTERFACE_DOWN : DEBUG(smtp_lib) : smtp_write QUIT
Apr 14 14:17:29: %HA_EM-6-LOG: INTERFACE_DOWN : DEBUG(smtp_lib) : fh_smtp_chk_reply looking for {221}
Apr 14 14:17:29: %HA_EM-6-LOG: INTERFACE_DOWN : DEBUG(smtp_lib) : fh_smtp_read {221 2.0.0 Service closing transmission channel


Samer R. Saleem

Sunday, March 10, 2019

Configure basic Netflow to check top 10 talkers on Network

In this post I will be talking about how to configure Cisco router with Netflow to check top talkers in the network
so configuring the topology below:

R5 will be configured with NETFLOW and R6 will be sending ICMP packets to R5's loopback
configurations:









then we start sending packets from R6 then we use the command #show ip flow top-talkers
and the result will be showing gradually increasing as below:







you can see that I'm sourcing traffic from R6 loopback towards R5 loopback and the bytes are increasing while the ICMP ping increasing.















Python-Jinja template configuration generator for Cisco devices and printout configs to external text files

 In this post, I worked on collecting a code that works with Jinja template. the nice thing in working with Jinja is that you can have basel...